Sitelock has published its Q4 2017 Website Security Insider analysis of malware and websites based on statistics from 6 million of its 12 million customers. All these customers use at least one of Sitelock's malware scanners, while a smaller subset also use the firm's cloud-based web application firewall (WAF). The WAF provides insight into DDoS attacks against websites, while the sca≈nners provide insight to the state of malware in websites.
The analysis shows an increase of around 20% in the number of infected websites over Q3 2017. "We went from about 0.8% of our user base in Q3 to a little over 1% in Q4," Sitelock research analyst Jessica Ortega told SecurityWeek. A 0.2% increase seems a small number, but it implies that up to 18.5 million websites worldwide may be infected with malware at any given time.
Despite the increase in infected sites, continued Ortega, "The total number of attacks or attempted attacks actually decreased by about 20% -- so what we're seeing is that it takes fewer attack attempts to compromise the websites. Attackers are becoming sneakier, and more difficult-to-decode malware is coming through."
The majority of Sitelock's customers are typically small businesses and blogs. "Many website owners remain unaware that website security is their responsibility and rely too heavily on popular search engines and other third parties to notify them when they've been compromised," said Ortega. This doesn't work -- less than 1 in 5 infected websites are blacklisted by the search engines.
Other owners rely on their CMS software provider to keep them secure with security updates. But according to Sitelock, 46% of WordPress sites infected with malware were up to date with the latest core updates. Those also using plug-ins were twice as likely to be compromised.
It is the sheer volume of both threats and compromises that is most surprising. During Q4 2017, Sitelock cleaned an average of 672,655 malicious files every week. It found an average of 309 infected files per site. Sixteen percent of malware results in site defacements, while more than 12% are backdoors facilitating the upload of thousands of other malicious files including exploit kits and phishing pages.
Jessica Ortega, research analyst at Sitelock, comments that the malicious files are often stored on websites in zip files. Even if active files are removed, the site can be compromised again, and the zip file extracted for the attacker to continue precisely as before.
One of the problems is that the average website is very easy to compromise. Sitelock's analysis in Q4 found an average of 414 pages per site containing cross-site scripting (XSS) vulnerabilities; 959 pages per site containing SQL injection (SQLi) vulnerabilities; and 414 pages per site containing cross-site request forgery (CSRF) vulnerabilities.
Even CSM security updates can be used against the website if they are not immediately installed. "Attackers can see what vulnerabilities have been patched in the latest update, and develop an exploit for those vulnerabilities. They then scan the internet for, for example, WordPress sites that haven't yet been updated, and compromise them."
Understanding the attackers' motives is key to understanding the threat to small business websites. "A lot of attackers go for the low-hanging fruit, and small business websites are among the softest and easiest targets because so many owners don't even realize they need security," explains Ortega. One of the primary motivations is to improve the search engine rankings of the attackers' own customers, by inserting backlinks to the customer website.
"Or they use it to attack the website's visitors -- for example, by phishing credentials," she continued; "and obviously the longer that a phishing site stays up, the greater the number of credentials it can potentially steal. Or they're just trying to further spread their malware to visitors via exploit kits."
Compromising small business websites is a numbers game for the criminals. Each site has a relatively small reach in the volume of visitors that can be exploited; but the sheer number of sites combined with the ease of compromise makes it worthwhile. And it is complicated by being perhaps the last refuge of the skiddie. As large companies improve their own security, small companies increasingly attract low-skilled skiddies who hack for personal aggrandizement -- those who do it because they can, and then boast about it.
Sixteen percent of infected sites were subsequently defaced, often with a political or religious message, often by such skiddies.